Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

SSH 1024 bit keys vs. 2048 bit keys

 
Ken Robinson
Valued Contributor

SSH 1024 bit keys vs. 2048 bit keys

We are running:

$ tcpip sho ver

HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 7
on a AlphaServer ES40 running OpenVMS V7.3-2

$ ssh "-V"
$2$dka0:[sys0.syscommon.][sysexe]tcpip$ssh_ssh2.exe: SSH Secure Shell OpenVMS (V5.5) 3.2.0 on AlphaServer ES40 - VMS V7.3-2

I am working with another group in our organization to get SFTP working from them (Unix) to us (VMS).

They sent me their generated rsa key which I converted to the format needed for VMS, made sure the converted key was a STREAM_LF formatted file, and added the reference to the converted key in the appropriate authorization file.

When a SFTP transfer was tried, they got a prompt for a password.

I tried the same sequence on a Linux machine I have access to and the SFTP command worked fine and did not ask for a password.

When I checked the SSH log file (I had turned on debugging), I saw that the key they had sent me and I converted wasn't being found to be a match.

I then noticed that the key they had generated was a 1024 bit key. When I went back to my Linux machine and generated a 1024 bit key, converted it, etc... It did not work (I got a password prompt) This failure is true with both rsa & dsa keys.

Is there anything I can do on the VMS side to find out why 1024 bit keys are being rejected?

I've asked the people who generated the first key to generate a 2048 bit key and to send it to me. If that works, I will be fairly certain that I've hit a bug somewhere in SSH.

Ken
3 REPLIES 3
Steven Schweda
Honored Contributor

Re: SSH 1024 bit keys vs. 2048 bit keys

> [...] which I converted to the format
> needed for VMS, [...]

Glad you think so. Evidence might be more
convincing. As I read your description, it
appears that every key you "convert" fails.

> Is there anything I can do on the VMS side
> to find out why 1024 bit keys are being
> rejected?

"ssh -v"?

I'm pretty sure that my DSA keys are all 1024
bits, and it all works for me.
Ken Robinson
Valued Contributor

Re: SSH 1024 bit keys vs. 2048 bit keys

Never mind, it turned out to be a number of mis-steps on both sides that looked like the problem was the keys. It wasn't.
John Gillings
Honored Contributor

Re: SSH 1024 bit keys vs. 2048 bit keys

Ken,

>I will be fairly certain that I've hit a
>bug somewhere in SSH.

That would be a rather fundamental bug. Unlikely that you would suddenly find such a serious bug in a product as old as SSH.

I use 2048 bit keys between OpenVMS systems, but 1024 keys between OpenVMS and Windows systems because Windows didn't seem to understand 2048 bit keys. (I also recall it was a fiddle to get the format of the key exactly right)

I guess that shows that both sizes can work on OpenVMS. It also shows you may need to find a lowest common denominator when dealing with different platforms.

Maybe try creating keys of different size on OpenVMS and compare the resulting files with the keys generated elsewhere. You could also try using the OpenVMS generated key on the other end.
A crucible of informative mistakes